At CRYPTO 2015, Kirchner and Fouque claimed that a carefully tuned variant of the Blum-Kalai-Wasserman (BKW) algorithm (JACM 2003) should solve the Learning with Errors problem (LWE) in slightly subexponential time for modulus $q=\mathrm{poly}(n)$ and narrow error distribution, when given enough LWE samples. Taking a modular view, one may regard BKW as a combination of Wagner's algorithm (CRYPTO 2002), run over the corresponding dual problem, and the Aharonov-Regev distinguisher (JACM 2005). Hence the subexponential Wagner step alone should be of interest for solving this dual problem - namely, the Short Integer Solution problem (SIS) - but this appears to be undocumented so far. We re-interpret this Wagner step as walking backward through a chain of projected lattices, zigzagging through some auxiliary superlattices. We further randomize the bucketing step using Gaussian randomized rounding to exploit the powerful discrete Gaussian machinery. This approach avoids sample amplification and turns Wagner's algorithm into an approximate discrete Gaussian sampler for $q$-ary lattices. For an SIS lattice with $n$ equations modulo $q$, this algorithm runs in subexponential time $\exp(O(n/\log \log n))$ to reach a Gaussian width parameter $s = q/\mathrm{polylog}(n)$ only requiring $m = n + \omega(n/\log \log n)$ many SIS variables. This directly provides a provable algorithm for solving the Short Integer Solution problem in the infinity norm ($\mathrm{SIS}^\infty$) for norm bounds $\beta = q/\mathrm{polylog}(n)$. This variant of SIS underlies the security of the NIST post-quantum cryptography standard Dilithium. Despite its subexponential complexity, Wagner's algorithm does not appear to threaten Dilithium's concrete security.
翻译:在CRYPTO 2015会议上,Kirchner与Fouque提出:经过精心调优的Blum-Kalai-Wasserman(BKW)算法(JACM 2003)变体,在给定足够多LWE样本的情况下,应能以略低于指数级的时间复杂度求解模数$q=\mathrm{poly}(n)$且误差分布较窄的容错学习问题(LWE)。从模块化视角看,BKW可视为Wagner算法(CRYPTO 2002)在对应对偶问题上的运行结果与Aharonov-Regev判别器(JACM 2005)的结合。因此,单独的亚指数Wagner步骤对于求解该对偶问题——即短整数解问题(SIS)——应具有独立研究价值,但迄今似乎未见文献记载。我们将该Wagner步骤重新阐释为在投影格链中逆向行走,并通过若干辅助超格进行锯齿形移动。进一步采用高斯随机化舍入对分桶步骤进行随机化处理,以利用强大的离散高斯分析工具。该方法避免了样本扩增,并将Wagner算法转化为$q$元格的近似离散高斯采样器。对于包含$n$个模$q$方程的SIS格,该算法仅需$m = n + \omega(n/\log \log n)$个SIS变量,即可在亚指数时间$\exp(O(n/\log \log n))$内达到高斯宽度参数$s = q/\mathrm{polylog}(n)$。这直接为求解无穷范数界$\beta = q/\mathrm{polylog}(n)$下的短整数解问题($\mathrm{SIS}^\infty$)提供了可证明算法。该SIS变体正是NIST后量子密码标准Dilithium的安全基础。尽管具有亚指数复杂度,Wagner算法似乎并未对Dilithium的实际安全性构成威胁。